This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global protect Notification

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect Notification

Joshan_Lakhani
L4 Transporter

‎02-27-2021 10:25 PM

Hi,

 

When I connect global protect Gateway. Once is connected I received this notification.

I have check the internet connectivity it's working fine.

 

Can you please let me know how to avoid this notification 

 

Joshan_Lakhani_0-1614493398995.jpeg

 

1 person had this problem.
0 Likes Likes
22 REPLIES 22

Mick_Ball
L7 Applicator

‎02-28-2021 02:18 AM

Someone else had this issue (on ios) and was resolved by a client update.   It may be worth a look...

 

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-ipad-vpn-app/td-p/381955

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎02-28-2021 02:20 AM

@Mick_Ball 

 

Thanks for you reply

 

As i  already upgrade the version from 5.1.7 to 5.2.5 version

 

0 Likes Likes

Mick_Ball
L7 Applicator
In response to Joshan_Lakhani

‎02-28-2021 02:23 AM - edited ‎02-28-2021 02:55 AM

My next step would be to check GP logs, pangps may help...

 

you can prevent popups in reg but probably best to find what causes the message.

 

show-system-tray-notifications yes | no

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎02-28-2021 03:36 AM

Dear @Mick_Ball 

 

When i run this command it's not working 

 

Joshan_Lakhani_0-1614512171993.jpeg

 

Please advise

 

Mick_Ball
L7 Applicator
In response to Joshan_Lakhani

‎02-28-2021 03:41 AM

Sorry for the confusion, that was not a command, that was a registry setting in hkey\local machine to block GP popups if you wanted to...

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎02-28-2021 04:09 AM

Dear @Mick_Ball 

 

Thanks for your reply

 

As we have big environment around 400 to 500 users. we are not able to do in each and every system.

is there is any other solution ?Please advise

 

0 Likes Likes

Mick_Ball
L7 Applicator
In response to Joshan_Lakhani

‎02-28-2021 05:13 AM

I have no idea as i have never had this message and we have over 6k userbase.

 

does this happen for all users, do you have only 1 gateway...  have you checked the GP logs on the device with the popup and go through the pangps file.

0 Likes Likes

dmifsud
L3 Networker

‎02-28-2021 05:27 AM

Hello,

 

This message means you have connected via SSL instead of IPsec, which is typically slower.

 

Check that you have a rule allowing the application ipsec-esp-udp and ensure that the client side / nothing else is blocking access to the gateway on UDP/4501

 

Check the traffic logs on the gateway for port 4501 to see if this is being denied on the firewall side (if you log everything anyway).

 

- DM

Sr. Technical Support Engineer, Strata

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎02-28-2021 11:44 PM

Dear @Mick_Ball @dmifsud 

 

Please find the Global protect Logs 

 

(P5096-T20276)Debug( 25): 03/01/21 09:09:19:601 create thread 0x774 with thread ID 2636
(P5096-T20276)Debug(2325): 03/01/21 09:09:19:601 Start FlushDNSCache thread 0x774
(P5096-T20276)Debug( 575): 03/01/21 09:09:19:601 Save route table snapshot...
(P5096-T20276)Debug( 780): 03/01/21 09:09:19:601 sslvpn connect() succeed
(P5096-T20276)Debug( 782): 03/01/21 09:09:19:601 Send notification of The network connection is unreliable and GlobalProtect reconnected using an alternate method. You may experience slowness when accessing the internet or business applications..
(P5096-T20276)Debug(1730): 03/01/21 09:09:19:603 Send response to client for request gateway-failed
(P5096-T20276)Debug(10891): 03/01/21 09:09:19:603 VPN tunnel is connected.
(P5096-T20276)Debug(10895): 03/01/21 09:09:19:603 Enable life time and create life time thread.
(P5096-T20276)Debug( 25): 03/01/21 09:09:19:603 create thread 0x7bc with thread ID 3624
(P5096-T20276)Debug(6849): 03/01/21 09:09:19:603 --Set state to Connected
(P5096-T3624)Debug(4317): 03/01/21 09:09:19:603 LifeTimeThread starts
(P5096-T20276)Debug(1142): 03/01/21 09:09:19:604 Display hip report V4 on the UI
(P5096-T20276)Debug(11159): 03/01/21 09:09:19:604 SetVpnStatus called with new status=1, Previous Status=0
(P5096-T20276)Debug(4161): 03/01/21 09:09:19:604 UpdatePrelogonStateForSSO() - User-logon tunnel state = Connected
(P5096-T20276)Debug(2660): 03/01/21 09:09:19:607 Tunnel is created with the gateway deltacrp.dyndns.org
(P5096-T20276)Debug(1605): 03/01/21 09:09:19:607 Refresh proxy

0 Likes Likes

Mick_Ball
L7 Applicator
In response to dmifsud

‎03-01-2021 01:14 AM

@dmifsud Do you know what version of PAN gives this message out?

 

@Joshan_Lakhani What version of PAN OS are you currently running.

 

I often see "switched to SSL" in user logs but still no popup for them.

 

 

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎03-01-2021 01:16 AM

@Mick_Ball 

 

As i troubleshoot further i found that all the user are connect via ssl VPN but we have configure the IPSEC vpn.

 

Global protect Version is 5.2.5

 

(P4912-T7656)Debug( 166): 02/21/21 13:54:12:406 Trying to do ipsec connection to 178.153.34.106[4501]
(P4912-T7656)Debug( 487): 02/21/21 13:54:12:406 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:12:406 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:12:413 Network is reachable
(P4912-T7656)Info ( 178): 02/21/21 13:54:12:414 Connected to: 178.153.34.106[4501], Sending keep alive to ipsec socket...
(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive
(P4912-T7656)Debug( 229): 02/21/21 13:54:18:427 IPSec anti-replay statistics: outside window count 0, replay count 0
(P4912-T7656)Debug( 231): 02/21/21 13:54:18:427 Disconnect udp socket
(P4912-T7656)Info ( 364): 02/21/21 13:54:18:427 Connecting to 178.153.34.106 failed
(P4912-T7656)Info ( 276): 02/21/21 13:54:18:427 Start vpn do_connect() failed
(P4912-T7656)Debug( 336): 02/21/21 13:54:18:427 tunnel statistics: send bytes(0) packets(0) errors(0) drops(0) queue-size(0), recv bytes(0) packets(0) errors(0) drops(0) queue-size(0)
(P4912-T7656)Debug( 338): 02/21/21 13:54:18:427 do_disconnect is called in VPN stop
(P4912-T7656)Debug( 709): 02/21/21 13:54:18:427 ipsec failed to start
(P4912-T7656)Info ( 102): 02/21/21 13:54:18:427 VPN is deleted
(P4912-T7656)Debug( 766): 02/21/21 13:54:18:427 IPSec fallback reason is IPSec connection failed
(P4912-T7656)Debug( 161): 02/21/21 13:54:18:427 disconnect-on-idle timeout is 10800
(P4912-T7656)Debug( 171): 02/21/21 13:54:18:427 VPN idle timeout is 10800; config timeout is 10800
(P4912-T7656)Debug( 219): 02/21/21 13:54:18:427 EnforceDns is enabled, set 2 GP pushed DNS servers
(P4912-T7656)Debug( 65): 02/21/21 13:54:18:427 Trying to do SSL connection to 178.153.34.106(443)
(P4912-T7656)Debug( 788): 02/21/21 13:54:18:427 SSL connecting to 178.153.34.106
(P4912-T7656)Debug( 487): 02/21/21 13:54:18:427 socket send buffer old size is 65536
(P4912-T7656)Debug( 511): 02/21/21 13:54:18:427 socket send buffer new size is 3145728
(P4912-T7656)Debug( 563): 02/21/21 13:54:18:435 Network is reachable
(P4912-T7656)Debug(1274): 02/21/21 13:54:18:471 Failed to X509_LOOKUP_load_file
(P4912-T7656)Debug( 374): 02/21/21 13:54:18:471 Open_SSL_connection: subject '/CN=deltacrp.dyndns.org'
(P4912-T7656)Debug( 378): 02/21/21 13:54:18:471 Open_SSL_connection: issuer '/CN=deltacrp.dyndns.org'
(P4912-T7656)Info ( 113): 02/21/21 13:54:18:479 Connected ssl tunnel to 178.153.34.106(443)
(P4912-T7656)Info ( 374): 02/21/21 13:54:18:479 tunnel to 178.153.34.106 connected
(P4912-T7656)Debug( 394): 02/21/21 13:54:18:666 PsvRegister done
(P4912-T7656)Debug( 25): 02/21/21 13:54:18:666 create thread 0xb70 with thread ID 14232
(P4912-T14232)Debug( 443): 02/21/21 13:54:18:667 VpnProcMonitor thread starts
(P4912-T14232)Debug( 507): 02/21/21 13:54:18:667 New ProcMon thread priority 2
(P4912-T7656)Debug(3027): 02/21/21 13:54:18:667 Gateway: deltacrp.dyndns.org, client IP: 172.22.18.32
(P4912-T7656)Debug( 115): 02/21/21 13:54:18:667 SPInit
0 Likes Likes

Mick_Ball
L7 Applicator
In response to Joshan_Lakhani

‎03-01-2021 01:24 AM

yes but IPSec is failing at some point..  this is what @dmifsud was telling you.

GlobalProtect will revert to SSL if IPSec fails.

 

(P4912-T7656)Info ( 221): 02/21/21 13:54:18:427 failed to receive keep alive

 

 

@Joshan_Lakhani could you confirm software version running on firewall.

 

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Mick_Ball

‎03-01-2021 01:26 AM

@Mick_Ball 

 

Global protect version is 5.2.5 version

0 Likes Likes

Mick_Ball
L7 Applicator
In response to Joshan_Lakhani

‎03-01-2021 01:31 AM

could you tell me the software version of the firewall]

MickBall_0-1614591063544.jpeg

 

0 Likes Likes
  • 9665 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks